Samsung’s Galaxy S III has a lock screen bug, too

The exploit gives attackers access to everything on the phone.

The Galaxy S III's days as Samsung's flagship are drawing to a close. The Ars editors tell all about what they want in its successor.

Andrew Cunningham

When iOS 6.1 was released, it introduced an as-of-yet unfixed lock screen bug that could give an attacker with physical access to an iPhone an entry to the phone dialer app and all of the information therein, including contact information, recent and missed calls, and voicemails. Now, a similar bug has been discovered by a Full Disclosure forum user for Samsung's Galaxy S III, but the problem is more severe. Even if your phone is running the latest software update from Samsung, an attacker with physical access to your handset can bypass the lock screen entirely and access all of the applications and information on your phone.

The process sounds simple, though any attacker with physical access to your phone would probably need some time to actually exploit it. From the lock screen the attacker would need to tap the Emergency Call button, bring up the emergency contacts list, and then tap the Home button followed by the power button. The timing is tricky to pull off—it took us a couple dozen tries on our AT&T Galaxy S III running Android 4.1.1—but if you've done it right, pressing the power button again will bring up the phone's home screen and give you full access to everything on the phone. Once our phone was unlocked, even if we put the screen to sleep by pressing the power button, pressing the power or home button again would bring up the home screen and not the lock screen. The phone wouldn't actually re-lock until we rebooted it.

Engadget reports that Samsung is also aware of a similar exploit on its Galaxy Note II line of smartphones and is working on a fix—we don't yet know whether this software update will also fix the issues with the Galaxy S III, but we'll follow the situation and let you know when Samsung has issued an update.

When the (last round of) news about Apple's lockscreen bug hit, I made some disparaging remarks about their software QA. I may have been off-base.

Perhaps this kind of bug is something systematic with the whole locked-but-not-really-cause-some-stuff-is-still-available paradigm of modern smartphones.

That said, maybe this is something to which special attention should be payed during test.

you'll get bugs as long as people make software.

Well, yes, but the same type of bug over and over? That indicates that the problem is systematic.Like I said, my original thought was 'Well Apple's QA process is jacked'. Since Apple's not the only one having this class of bug, it has evolved to 'Maybe the systematic failure is with the paradigm, not the particular implentation'

When the (last round of) news about Apple's lockscreen bug hit, I made some disparaging remarks about their software QA. I may have been off-base.

Perhaps this kind of bug is something systematic with the whole locked-but-not-really-cause-some-stuff-is-still-available paradigm of modern smartphones.

That said, maybe this is something to which special attention should be payed during test.

you'll get bugs as long as people make software.

Well, yes, but the same type of bug over and over? That indicates that the problem is systematic.Like I said, my original thought was 'Well Apple's QA process is jacked'. Since Apple's not the only one having this class of bug, it has evolved to 'Maybe the systematic failure is with the paradigm, not the particular implentation'

Poor software architecture. Maybe the next design will be better.

Off topic: I got a square Microsoft surface ad on my last pageload which didn't play nice. It obscured article text and the "close" button did not make it go away.

Its not a faulting of QA really. These types of bugs are just very difficult to find. It basically takes somebody with a LOT of time to try different random combinations to see if they can get it to unlock.

How does an attack like this apply to just one specific model? All Androids have Home and Power buttons. How much does Samsung's lock screen functionality differ from the Android standard? I know HTC does all sorts of customization to Sense UI, but I was under the impression that Samsung stays a bit closer to the base.

Tried repeatedly with my SGH-i747M running 4.1.1, but I can't for the life of me replicate the security bypass.

I can see the homescreen briefly, but if I leave the screen on, it immediately locks. If I hit the power button twice, it's locked when the screen comes up.

Anyone have any different experiences?

EDIT: Couldn't get it to work over 50+ attempts in portrait, but worked first try when the emergency dialer was in landscape orientation. Those of you looking to replicate it and having difficulties, try this.

How does an attack like this apply to just one specific model? All Androids have Home and Power buttons. How much does Samsung's lock screen functionality differ from the Android standard? I know HTC does all sorts of customization to Sense UI, but I was under the impression that Samsung stays a bit closer to the base.

If someone gained physical access, no device is secure. If the device is turned on any encryption key is loaded into ram and with some work can be recovered. I never consider any lock or login screens as a strong security.

Took me about ten minutes to pull it off. However I could not do it with the facial recognition on which I usually use. Maybe I haven't gotten the timing right on that yet but has anyone else tried that?

The 'too' in the headline is a bit troublesome for me -- who else has one and when/how long ago did Ars report on it? I'm sure it's in the article, but stilll...

If it was Apple...cmon. Kill the tit for tat stuff please. That's the realm of fanboys.

edit: I was right. And looking at the already promoted comment (shaking my head) Ars went

Spoiler: show

fanboy trolling

on us.

Okay, seriously. So this is a brain dump of a person reading this article and commenting as they are reading, but not thinking. Really? A complaint about one little word causing trolling? Pot, kettle, black.

I believe the public at large, received it at face value. It is de facto news that more than one device, particularly from different hardware manufacturers and different software platforms, have a similar bug. And it's news to not be complacent just because you don't have an iPhone. It's the same idea if the iPhone suddenly got malware. How would "hey iPhone get's malware, too" be a troll?

The story itself leads to trolling and obligatories without that word, so your complaint is moot.

Interesting! My GF has an Android (S GS3). She fudged the unlock pattern the other day and it let her in. I, too, saw that the pattern lines weren't the usual ones she uses to unlock the phone, but it let her in anyway.

On iOS you can't read most data from the drive without unlocking the device, because your lock key is used to encrypt the drive*.

All of the lock screen bypassing features on iOS are severely limited, and mostly involve the emergency call feature (which is required to be functional by law on any phone, even if the owner has chosen to lock the device with a pin code).

* actually, your lock key is sent to a dedicated hardware component which does a slow key derivation function involving an area of memory that cannot be read by any other means in order to calculate the key that is actually used to encrypt the drive.

The only loophole is data backups... a backup stored on your home PC or in the cloud needs to be readable without access to the private key on each device (incase the device is stolen/damaged/etc), so if you do a backup it is either unencrypted or encrypted in a way that involves a pretty weak key.

You can do full disk encryption on Android. It makes installing your own ROM a more lengthy process (with a higher technical aptitude).

There is also software available for unlocked android devices to just encrypt the SD card if you desire - or even just a portion of it.

Encryption is useless unless you have a strong key however. If you've got a 4 digit pin it can be decrypted in seconds (or minutes for a 10 character password), unless you have some kind of hardware encryption solution like iPhones have.

You can do full disk encryption on Android. It makes installing your own ROM a more lengthy process (with a higher technical aptitude).

There is also software available for unlocked android devices to just encrypt the SD card if you desire - or even just a portion of it.

Encryption is useless unless you have a strong key however. If you've got a 4 digit pin it can be decrypted in seconds (or minutes for a 10 character password), unless you have some kind of hardware encryption solution like iPhones have.

The hardware assist does nothing to solve the problem of low-entropy passwords. No matter how many layers of secure encryption are wraped around a keyspace of 10000 unique keys, there's still only 10000 unique keys to try before a brute-force is guarenteed to succeed.

The hardware assist does nothing to solve the problem of low-entropy passwords. No matter how many layers of secure encryption are wraped around a keyspace of 10000 unique keys, there's still only 10000 unique keys to try before a brute-force is guarenteed to succeed.

If you assume:Every person on the planet owns 10 computers.There are 7 billion people on the planet.Each of these computers can test 1 billion key combinations per second.On average, you can crack the key after testing 50% of the possibilities.Then the earth's population can crack one encryption key in 77,000,000,000,000,000,000,000,000 years!

The actual encryption used for the filesystem for first release is 128 AES with CBC and ESSIV:SHA256. The master key is encrypted with 128 bit AES via calls to the openssl library.

Others with other methods exist also.

But this isn't some flimsy pseudo-encryption we're talking about, and it's not based upon your unlock PIN (though most require you to have unlocked the system to access the encrypted contents of the SD Card)

Final note: Even a 1-bit encryption key would afford you some legal protection. No "actual" protection in that it could be accessed almost immediately by anyone with the will to break the encryption, but legally, that shows you want your data concealed and more squarely puts you in the "not publicly accessible" arena.

It is de facto news that more than one device, particularly from different hardware manufacturers and different software platforms, have a similar bug. And it's news to not be complacent just because you don't have an iPhone. It's the same idea if the iPhone suddenly got malware. How would "hey iPhone get's malware, too" be a troll?.

I just think they should have either explicitly referenced the iPhone in the headline or dropped the 'too'.

It has nothing to do with the article itself.

Quote:

The story itself leads to trolling

No comment. Your words, not mine.

Almost any article related to Android or Apple will lead to some level of trolling. This one was no exception.

The hardware assist does nothing to solve the problem of low-entropy passwords. No matter how many layers of secure encryption are wraped around a keyspace of 10000 unique keys, there's still only 10000 unique keys to try before a brute-force is guarenteed to succeed.

The hardware assist makes testing 10,000 keys a fairly slow process. I've tried to find a source for how slow it actually is in the real world but all I can find is old stuff that doesn't apply to current hardware or stuff that uses some other attack vector.

If you really care about security you won't use a 4 digit pin of course. Personally I only use the pin code to prevent friends/family from doing stuff I don't want them to do with my phone (pranks, etc).

And yet, at the end of the day, I still don't have these kinds of ridiculous flaws on my Blackberry. Why doesn't Apple and Samsung contract for someone who has tons of experience securing mobile OSes to harden their systems?

@Doodler67:Too bad androids facial recognition system is a joke. I'm a typical caucasian white guy. I grabbed an image of some really dark African out of a national geographic magazine, and yep it let me in. Nice huh?

And yet, at the end of the day, I still don't have these kinds of ridiculous flaws on my Blackberry. Why doesn't Apple and Samsung contract for someone who has tons of experience securing mobile OSes to harden their systems?

This exploit must have taken hours and hours of fiddling or else the person just got really lucky. I hate to say it, but if your platform doesn't have a lot of users, stuff like this won't get found because the right level of scrutiny just isn't there. According to today's comScore numbers, Android has 9 times the users in the US than BB. Now if you can point me to someone who has spent 100 hours or more fiddling with the BB lock screen, who is motivated to find bugs (not paid by BB), and has expertise similar to the people who found the Apple and Android bugs, I will eat my words.

Andrew Cunningham / Andrew has a B.A. in Classics from Kenyon College and has over five years of experience in IT. His work has appeared on Charge Shot!!! and AnandTech, and he records a weekly book podcast called Overdue.